The practical guidance aims to make it more difficult for hackers to gain unauthorized access to networks. These security measures include:

Insisting on long, complex and unique passwords. Companies should establish secure corporate password standards, implement minimum password requirements, and ensure employees are informed about how to create strong passwords. Obvious choices such as “ABCABC” or “qwerty” should be avoided and users should opt for longer passwords or passphrases when creating their login credentials. Passwords should be unique for each user and different passwords should be required for different applications. Additionally, default passwords should be changed immediately and when designing products that require consumers to use a password, they should be prompted to change the default upon set up.

Storing passwords securely. Even the strongest passwords are ineffective if not securely protected. Disclosing a password through phone calls or emails, sharing a password with others or writing a password down without properly storing or disposing of the record may lead to the password being compromised. Compromised passwords that lead to more sensitive data are particularly risky (e.g., a password which provides access to a database of other user credentials). To mitigate these risks, companies should implement policies and procedures to store credentials securely.

Guarding against brute force attacks. A brute force attack occurs where hackers use automated programs to systematically guess password combinations. For example, the program may attempt to log in with aaaa1, then aaaa2 and so on until it guesses the right combination. To avoid such attacks, companies should set up their systems to suspend or disable a user account after a certain number of unsuccessful login attempts.

Protecting sensitive accounts with more than just a password. For certain kinds of sensitive data, companies may need to take additional steps to protect against hacking. Consumers and employees often reuse usernames and passwords across accounts, and if placed into the wrong hands, this can result in credential stuffing attacks. Such attacks occur where stolen usernames and passwords are input on a large scale into popular internet sites to verify if they work. To protect against this kind of attack, companies should combine multiple authentication techniques for accounts with access to sensitive data. For example, companies should require verifications codes that are generated by voice call, text or security keys that need to be inserted into the USB port to grant access. Requiring employees to log into a virtual private network to gain access to systems provides an additional layer of protection.

Protecting against authentication bypass. Hackers who cannot gain access to a site through the main login page may try other methods, such as going directly to a network or application that is supposed to be accessible only after the user has signed on. To combat against this, companies should ensure that entry is allowed only through a secure authentication point and that there are no backdoors which hackers can target.

The FTC’s next blog post, to be published on Friday, August 18, will focus on securely storing sensitive personal information and protecting it during transmission.

ATTORNEY ADVERTISING. Case results depend upon a variety of factors unique to each case. Case results do not guarantee or predict a similar result in any future case. Unless otherwise noted, attorneys not certified by the Texas Board of Legal Specialization.

About our Global Privacy & Cybersecurity Practice Group

Hunton & Williams’ Global Privacy and Cybersecurity practice helps companies manage data at every step of the information life cycle. The firm is a leader in its field and for the fourth consecutive year has been ranked by Computerworld magazine in a survey of more than 4,000 corporate privacy leaders as the top law firm globally for privacy and data security. Chambers and Partners also rated Hunton & Williams the top privacy and data security practice in its Chambers Global, Chambers USA and Chambers UK guides.